This changes WebCore::StyleMarqueeData from using 6 bits to 5 bits,
WebCore::RenderStyle::inherited_flags from using 36 bits to 35 bits,
and WebCore::RenderStyle::noninherited_flags from using 49 bits to
47 bits.

css/CSSFontSelector.cpp:
(WebCore::CSSFontSelector::CSSFontSelector): Added a call to
FontCache::addClient().
(WebCore::CSSFontSelector::~CSSFontSelector): Added a call to
FontCache::removeClient().
(WebCore::CSSFontSelector::fontCacheInvalidated): Added. Called by the
font cache when it is invalidated, and ensures that the document is
updated.

Fix output path of recently-added script phase to reference the correct file.
This prevents Xcode from running the script phase unnecessarily, which caused
the generated header to be recreated and lead to AllInOneFile.cpp rebuilding.

If a plug-in returned an error code from NPP_NewStream, we would call
NPP_DestroyStream while cleaning up the request. We now only call
NPP_DestroyStream if NPP_NewStream was successful, matching Firefox.

Revise Dan's fix for an assert on Windows, since layoutIfNeededRecursive doesn't exist on the
Mac. Revert updateControlTints and add the layout call outside of it in the already-existing
!PLATFORM(MAC) ifdef in FocusController's setActive method.

Remove the body of _NPN_SetException(), because it was simply calling
throwError(), which sets an exception on an ExecState but does not
actually handle it. The presence of an exception on the global ExecState
causes assertions that there is no exception set on that ExecState to
fail, as well as causing Machine::execute() to mistakingly return 0 in
some cases, as it assumes the presence of an exception implies that it
has run out of memory.

Updated this test result to match our new, smaller recursion limit.
With the new limit, an exception is thrown on entry to the document.write
script, which is why you see an exception logged to the console, instead
of caught inside the script.

I was never able to reproduce this issue, but Cameron could, and he says
that this patch fixes it.

The crash seems tied to a timer or event handler callback. In such a case,
the sole reference to the global object may be in the current call frame,
so we can't depend on the global object to mark the call frame area in
the register file.

The new GC marking rule is: the global object is not responsible for
marking the whole register file -- it's just responsible for the globals
section it's tied to. The heap is responsible for marking the call frame area.

Add the ability to tell DRT to call stopLoading on a WebFrame inside of a didStartProvisionalLoadForFrame
load delegate.

Required to add a layout test for the fix for <rdar://problem/5549871>

DumpRenderTree/mac/FrameLoadDelegate.mm:
(-[FrameLoadDelegate webView:didStartProvisionalLoadForFrame:]): If stopProvisionalFrameLoads is set, call
[WebFrame stopLoading] to test for the crash reflected in 5549871

All of the following are infrastructure to add the layoutTestController.setStopProvisionalFrameLoads() call:

page/AccessibilityRenderObject.cpp:
(WebCore::AccessibilityRenderObject::isSlider):
(WebCore::AccessibilityRenderObject::valueForRange):
(WebCore::AccessibilityRenderObject::maxValueForRange):
(WebCore::AccessibilityRenderObject::minValueForRange):
(WebCore::AccessibilityRenderObject::accessibilityIsIgnored): We
were addressing the generic has-an-ARIA-role case too early here.
(WebCore::AccessibilityRenderObject::focusedUIElement): This is a
bug I ran into while testing role='spinbutton', spinbutton is a
role that can have an active descendant. But we were always trying
to forward focus to the active descendant, even if one was not
specified.
(WebCore::AccessibilityRenderObject::shouldFocusActiveDescendant):
'spinbutton' maps to ProgressIndicatorRole.
(WebCore::RoleEntry::):
(WebCore::AccessibilityRenderObject::canSetValueAttribute):

profiler/CallIdentifier.h: Rename debug function to make it clear of
its output and intention to be debug only.
(KJS::CallIdentifier::operator const char* ): Implement in terms of
c_str.
(KJS::CallIdentifier::c_str):

profiler/ProfileNode.cpp: Impelment findChild() which will be needed
by the bottom-up implementation.
(KJS::ProfileNode::findChild):

profiler/ProfileNode.h: Added comments to make the collections of
functions more clear.
(KJS::ProfileNode::operator==):
(KJS::ProfileNode::c_str):

In order to fix this we now make the rendering context and the canvas element
share the same reference count, ensuring that references to the rendering
context will force the canvas element to remain live as well.

kjs/JSLock.h:
(KJS::JSLock::JSLock):
(KJS::JSLock::~JSLock):
Made JSLock and JSLock::DropAllLocks constructors take a parameter to decide whether to
actually lock a mutex, or only to increment recursion count. We cannot turn it into no-op
if we want to keep existing assertions working.
Made recursion count per-thread, now that locks may not lock.

API/JSBase.cpp:
(JSEvaluateScript): Take JSLock after casting JSContextRef to ExecState* (which doesn't need
locking in any case), so that a decision whether to actually lock can be made.
(JSCheckScriptSyntax): Ditto.
(JSGarbageCollect): Only lock while collecting the shared heap, not the per-thread one.

API/JSObjectRef.cpp:
(JSClassCreate): Don't lock, as there is no reason to.
(JSClassRetain): Ditto.
(JSClassRelease): Ditto.
(JSPropertyNameArrayRetain): Ditto.
(JSPropertyNameArrayRelease): Only lock while deleting the array, as that may touch
identifier table.
(JSPropertyNameAccumulatorAddName): Adding a string also involves an identifier table
lookup, and possibly modification.

API/JSStringRefCF.cpp:
(JSStringCreateWithCFString):
JSStringRef operations other than releasing do not need locking.

VM/Machine.cpp: Don't include unused JSLock.h.

kjs/CollectorHeapIntrospector.cpp: (KJS::CollectorHeapIntrospector::statistics):
Don't take the lock for real, as heap introspection pauses the process anyway. It seems that
the existing code could cause deadlocks.

kjs/collector.h:
(KJS::Heap::setGCProtectNeedsLocking): Optionally protect m_protectedValues access with a
per-heap mutex. This is only needed for WebCore Database code, which violates the "no data
migration between threads" by using ProtectedPtr on a background thread.
(KJS::Heap::isShared): Keep a shared flag here, as well.

kjs/protect.h:
(KJS::::ProtectedPtr):
(KJS::::~ProtectedPtr):
(KJS::::operator):
(KJS::operator==):
(KJS::operator!=):
ProtectedPtr is ony used from WebCore, so it doesn't need to take JSLock. An assertion in
Heap::protect/unprotect guards agains possible future unlocked uses of ProtectedPtr in JSC.

kjs/collector.cpp:
(KJS::Heap::Heap): Initialize m_isShared.
(KJS::Heap::~Heap): No need to lock for real during destruction, but must keep assertions
in sweep() working.
(KJS::destroyRegisteredThread): Registered thread list is only accessed for shared heap,
so locking is always needed here.
(KJS::Heap::registerThread): Ditto.
(KJS::Heap::markStackObjectsConservatively): Use m_isShared instead of comparing to a shared
instance for a small speedup.
(KJS::Heap::setGCProtectNeedsLocking): Create m_protectedValuesMutex. There is currently no
way to undo this - and ideally, Database code will be fixed to lo longer require this quirk.
(KJS::Heap::protect): Take m_protectedValuesMutex (if it exists) while accessing
m_protectedValues.
(KJS::Heap::unprotect): Ditto.
(KJS::Heap::markProtectedObjects): Ditto.
(KJS::Heap::protectedGlobalObjectCount): Ditto.
(KJS::Heap::protectedObjectCount): Ditto.
(KJS::Heap::protectedObjectTypeCounts): Ditto.

kjs/ustring.cpp:

kjs/ustring.h:
Don't include JSLock.h, which is no longer used here. As a result, an explicit include had
to be added to many files in JavaScriptGlue, WebCore and WebKit.